In the design of 1C:Enterprise, there are two configurations for OpenID Authentication: (1) Administration --> User User is added with a check box "OpenID Authentication".
(2) Administration --> Publish to web server --> Additional pages If only Provider address is provided, then there are many applications can connect to this provider. This causes the certain risks.
Could you show me which guide for using the OpenID Authentication or how to implement it in the managed applications?
I perform the steps which are described in "1C:Enterprise. Administrator Guide" and can publish the application successfully. The service provider path is included in the <openid><rely url="path_of_service_provider"/></openid>.
BUt, I don't see any differences when performing the login dialog to application from web browser.
Could you please give me an example about OpenID in 1C:Enterprise?
I created the "OpenID" infobase and publish it. Then, I tried to use SSL connection, but the application screen on browser is clear. Please have a look at the screenshot (attachment: OpenID.png).
I viewed page source and get the error message that the application could not write the data to folder infobase. Then, I re-created the application in another place on D: drive (without implementation except creating Role and adding new user which has OpenID property).
However, I could not get the link in the URL as the screenshot in the previous post message to you. That means the OpenID is not active, I think so.
Please help me review my attached configuration in IIS.
OpenID authentication implies that you have one infobase serving as an OpenID provider and any number of working infobases using this provider instead of asking users for login and password. So you store logins and passwords in OpenID provider infobase and tell working infobases to get credentials from the provider. Note that normally the OpenID provider infobase is NOT a working infobase. It's a separate infobase (and a separate IIS publication).
What is where is your case? OpenID IIS publication stands for OpenID provider infobase? Where are working infobases' publications then?
On the last screenshot, you try to connect to OpenID provider infobase with a browser. Why? You don't suppose to do that. You need to connect to a working infobase. It will ask all it needs from OpenID infobase.
Let me explain the context: I have some web applications, each application is written in a separate programing language. For example, Application 1 (.NET), Application 2 (PHP),..., and 1C managed application (1C:Enterprise). It’s supposed that these applications are used in an organization which uses Microsoft Exchange Server. That means each person in the organization will have a MS Exchange e-mail account and the users who are using these applications should use ONLY one account (e-mail account) for login these applications. It’s required that if there are 3 tabs on browser for running Application 1, Application 2, and 1C Application and I login successfully in one application – Application 1 (by using my e-mail account), then users can access the remaining Application 2 and 1C Application without login again. According to my understandings, 1C:Enterprise supports the following authentication modes: - 1C:Enterprise authentication, - OS authentication, and - OpenID authentication. Then, I think there is a way for my case with OpenID authentication. Therefore my solution is using 3rd party authentication application. Then I built an IdentityServer that provides authentication services based on the sample at here. IdentityServer is a framework and a hostable component that allows implementing single sign-on (SSO) and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2. In order to authenticate via SSO each application is provided a ClientId and ClientSecret so that SSO can detects the accepted authenticated applications. At present, Application 1 and Application 2 can authenticate successfully via SSO service by using MS exchange e-mail account. However it’s NOT successful with 1C managed application. The followings are my settings on 1C managed application: - SSO service URI is filled in “OpenID provider address” (without slash / at the end of URI based on Administration Guide). - SSL is enable in IIS web server. - Application is published successfully.
It’s my case! (I draw the model in attachment). Could you please give me the solution or advices?
For my knowledge 1C:Enterprise working infobase can use the only type of OpenID provider - another 1C:Enterprise infobase, published as such. If I'm right, you cannot use SSO as an OpenID provider - you need to use the 1C:Enterprise infobase instead. Which leads us to the next question: how do we use 1C:Enterprise OpenID provider for .NET and PHP apps? I am not sure that it's even possible.
Please, give me some more time to delve into the issue. Maybe I will come up with some sort of solution for you.
Thank you very much for your support! I am looking forward to your investigation!
Today I tried to create OpenID with 1C:Enterprise and I failed with that. Could you please help me?
There are two PCs: (1) Windows Server 2008 On this PC, the infobase is created as OpenID providers - OpenID infobase: - IIS is configured to enable SSL. - The infobase is published successfully. - One User is created as OpenID users with full granted permission.
(2) Windows 8.1 Enterprise On this PC, the infobase is created as using OpenID authenticate - CallOpenID infobase: - Infobase is published successfully with filled OpenID provider: https://serverIPaddress/OpenID/e1cib/oida - Users can acccess the provider infobase via browser normally from URL: https://serverIPaddress/OpenID
However, when I run the CallOpenID via browser (Web client) (https://localhost/CallOpenID) and I cannot login with the OpenID users on Server (OpenID provider users).
Please have a look at the screenshot attachments for more details. Could you please let me know which is wrong?
Additionally, in case that CallOpenID and OpenID has the same username, then what will happen when users login from Client with this username?
1. What is "serveripaddress" and "server ID add"? You replaced the real IP with this for the forum only? Or these are real addresses you use?
2. What is "/e1cib/oida"? The correct address of an OpenID provider should be the following: "https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op"
3. After you publish the OpenID provider infobase, you should be able to download the oid2op file by going to this address with your browser. If the download doesn't start then something's wrong. Please check it. If the download works, please send me the oid2op file you downloaded.
>1. What is "serveripaddress" and "server ID add"? You replaced the real IP with this for the forum only? Or these are real addresses you use? “Server IP add” means the IIS site address.
>2. What is "/e1cib/oida"? The correct address of an OpenID provider should be the following: "https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op" I filled this "/e1cib/oida" based on the guide on the page 167: “7.5 CONFIGURING OPENID AUTHENTICATION SUPPORT”in “1C:Enterprise 8.3. Administrator Guide” (Publication Number: 83.103.02). Could you please confirm the content?
>3. After you publish the OpenID provider infobase, you should be able to download the oid2op file by going to this address with your browser. If the download doesn't start then something's wrong. Please check it. If the download works, please send me the oid2op file you downloaded. Please have a look at the attachment file (oid2op.zip).
>Why do you need OpenID at all? You could use Active Directory authentication with 1C infobase. Do you mean I should use OS Authentication instead of OpenID? The reason is that the users need to use their email accounts to login 1C application. But their PC have not joined to the organization domain. Then users only can perform OS authentication with the local OS accounts (PC-Name\AccountName). I tried to fill to “User” of OS authentication \\domain\username, but nothing impacts.
2. I am pretty sure that the correct URL has to end with "/e1cib/oid2op". Please, try to use it and let me know if it works.
I don't know why it's read "oida" in the documentation. Looks like an error for me. I will figure it out and let you know.
3. Your attachment contains two screenshots. What I asked you to send me is not screenshots. I need an XML file, containing the description of your OpenID provider. To get this file you need to put "https://localhost/OpenID/e1cib/oid2op" in the browser.
Please, note that there is no "en_US" or "?cmd=init" in this string. Please, also note, that the correct URL ends with "oid2op" - not "oid2rp" as in the URL in your screenshot.
After you go to this link, a browser should ask you where you want to save the file. Specify the folder, download the file and sent it to me. If a browser doesn't ask you where to save the file, send me what exactly it shows after you go to the URL.
The file you sent me is not oid2op file. Could you, please, do the following steps for me?
1. Open your browser 2. Copy this link to the the browser's address line: https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op 3. Replace <IIS site address> with an actual name or IP address of the IIS WEB-server you have published OpenID provider infobase on. 4. Replace <OpenID provider IB> with an actual name of the OpenID provider infobase 5. Press Enter 6. If the address is correct "Download as" standard system dialogue will appear. 7. Select a directory to save the file. Do not change the file name. 8. Press OK 9. Go to the directory you've selected on step 7, find the file oid2op and send it to me.
If you experience any problem on any of those steps, please send me the following information:
What step were you on?
What exactly did you do?
What exactly did you see? Please make a screenshot and attach it to your message.
Please help me check my steps for creating OpenID provider inforbase in the attached screenshots and the downloaded file (OpenIDProvider.zip).
NOTE: My environment is - Windows Server 2012 R2 Data center - 1C:Enterprise 8.3 (8.3.7.1790) - Google Chrome Version 48.0.2564.109 - IIS version 8.5.9600.16384
In order for me to help you I need you to do exactly the following steps (same, as in my last comment): 1. Open your browser 2. Copy this link to the the browser's address line: https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op 3. Replace <IIS site address> with an actual name or IP address of the IIS WEB-server you have published OpenID provider infobase on. 4. Replace <OpenID provider IB> with an actual name of the OpenID provider infobase 5. Press Enter 6. If the address is correct "Download as" standard system dialogue will appear. 7. Select a directory to save the file. Do not change the file name. 8. Press OK 9. Go to the directory you've selected on step 7, find the file oid2op and send it to me.
I don't need you to do anything else and I won't be able to help you until you do these steps.
Do you understand how to perform these steps? Can you perform these steps for me? Can you explain why you don't do what I'm asking?
Not sure what certificate you are referring to. If we talk SSL certificates, than the answer depends on the certificate you've got. Every SSL certificate belongs to specific domain (like mysite.mydomain.ru or mydomain*). If both OpenID provider and the main databases are published within this domain than they will be using the same SSL certificate.